Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.

Slides:

Advertisements

Similar presentations

PHP Form and File Handling

Advertisements

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005.

Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring ‘10 Instructor: Ben Livshits.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

1 Static Analysis for Bug Finding Benjamin Livshits.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Approaches to Application Security – DSM

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Penetration Testing James Walden Northern Kentucky University.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Attacking Applications: SQL Injection & Buffer Overflows.

CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

ITM © Port, Kazman1 ITM 352 More on Forms Processing.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

Javascript Static Code Analyzer

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Chapter 7 SQL Injection I: Identification

Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Web Application Security

Web Application Protection Against Hackers and Vulnerabilities

World Wide Web policy.

CS 371 Web Application Programming

Website Security Testing: Why Business Need It Very Badly.

Securing Web Applications with Information Flow Tracking

Introduction to Static Analyzer

CS5123 Software Validation and Quality Assurance

Presentation transcript:

Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford

Me Graduated University of Waterloo with a B Math in 1985 Worked 23 years with Procter & Gamble  Telecom, Networking, Mainframe, App Development, ACF2, Voice and Video Hope to graduate this year

Static Analysis Scanning of Source code to identify potential security problems Like a spell checker, except we are looking for potential security weaknesses in code Focus of paper was the development of a Static Analysis tool that tested for Java Servlets with unchecked input

Reason for doing Static Analysis A review of 250 Web Applications showed that 92% were vulnerable to a hacker attack 75% of all attacks target web based applications  Firewalls lock out everything else but Port 80

Methods of Injecting Malicious Data Parameter tampering  in a HTML Form URL Manipulation Hidden Field manipulation HTTP Header tampering  Referrer field Cookie poisoning

And what you can do when you inject malicious data SQL Injection Cross-site scripting HTTP Response splitting  Forcing the server to send back 2 responses to one Get or Put Path Traversal  Controlling files outside of the normal path Command Injection

Static Analysis Architecture Parse Source Analyze Parse Tables Report Results Source Security Rules Static Analysis Tool usually works with source code The Source code is parsed like a compiler Rules are then applied to the parse tree to validate Results are reported back to the user

Papers Static Analysis Architecture Pointer Analysis Datalog Queries bddbddb Analyzer Java Byte Codes PQL System reads in Java Byte Codes Pointer Analysis is done on Byte Codes PQL rules are converted to Datalog queries and fed into a bddbddb Analyzer bddbddb generates warnings and feed the results into Eclipse for reporting Eclipse UI

Pointer Analysis Focus of the tool is track any tainted object propagation through the system A tainted source is anything that the user can modify  Input forms, URL’s, Cookies A sink is a place were tainted source can cause a bad result  SQL statements, command shells A derivation is modification to the source  Usually a String method The information takes a path through the system, from source, through derivations to a sink

Descriptors Source & Sink Descriptor  (Method, parameter #, path)‏ Derivation Descriptor  (Method, source parameter #, source path, dest parameter #, dest path)‏ Parameter number of -1 implies a return result from a method

Pointer Analysis (From the Paper) ‏ Source Descriptor (HttpServletRequest.getParameter(String),−1, e)‏ Sink Descriptor (Connection.executeQuery(String), 1, e)‏ Derivation Descriptor (StringBuffer.append(String), 1, e,−1, e)‏

Program Query language (PQL) ‏ A language that allows the user to specify the source, sink and path of a potential security violation PQL rules work like Regular Expressions, if they match a potential security violation has been identified

PQL Example (From the paper) ‏ query main()‏ returns object Object sourceObj, sinkObj; matches { sourceObj := source(); sinkObj := derived*(sourceObj); sinkObj := sink(); } derived*(object Object x)‏ returns object Object y; uses object Object temp; matches { y := x | temp := derived(x); y := derived*(temp); }

PQL Example (From the Paper) ‏ query source()‏ returns object Object sourceObj; uses object String[] sourceArray; object HttpServletRequest req; matches { sourceObj = req.getParameter(_)‏ | sourceObj = req.getHeader(_)‏ | sourceArray = req.getParameterValues(_); sourceObj = sourceArray[] |... } query sink()‏ returns object Object sinkObj; uses object java.sql.Statement stmt; object java.sql.Connection con; matches { stmt.executeQuery(sinkObj)‏ | stmt.execute(sinkObj)‏ | con.prepareStatement(sinkObj)‏ |... }

PQL Example (From the paper) ‏ query derived(object Object x)‏ returns object Object y; matches { y.append(x)‏ | y = _.append(x)‏ | y = new String(x)‏ | y = new StringBuffer(x)‏ | y = x.toString()‏ | y = x.substring(_,_)‏ | y = x.toString(_)‏ |... }

Test Results Tool tested on 9 open source Java systems Total of 392 sources and 393 sinks 41 potential security violations  12 false positives  29 security errors

Questions What problem does this work attempt to solve What are the most important novel contributions Are the conclusions supported What other explanation exists What modification would improve the research Is the analysis sound

Useful Links Benjamin Livshits old Stanford Website  Benjamin Livshits Paper Presentation  Technical Report  SecuriBench Benchmark Test Samples  Bddbddb 